Details
-
Suggestion
-
Resolution: Fixed
-
P3: Somewhat important
-
6.6
-
None
-
fd9c56715 (dev)
Description
Since OpenSSL 1.1.0 it is possible to auto-select DHparams. But Qt provide it's own parameters. It would be helpful to support auto-selection to be consistent with the used certificate size.
https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_dh_auto.html
If "auto" DH parameters are switched on then the parameters will be selected to be consistent with the size of the key associated with the server's certificate. If there is no certificate (e.g. for PSK ciphersuites), then it it will be consistent with the size of the negotiated symmetric cipher key.
Applications may supply their own DH parameters instead of using the built-in values. This approach is discouraged and applications should in preference use the built-in parameter support described above.
https://www.openssl.org/docs/man3.0/man7/migration_guide.html
SSL_CTX_set_tmp_dh_callback(), SSL_set_tmp_dh_callback(), SSL_CTX_set_tmp_dh(), SSL_set_tmp_dh()
These are used to set the Diffie-Hellman (DH) parameters that are to be used by servers requiring ephemeral DH keys. Instead applications should consider using the built-in DH parameters that are available by calling SSL_CTX_set_dh_auto(3) or SSL_set_dh_auto(3). If custom parameters are necessary then applications can use the alternative functions SSL_CTX_set0_tmp_dh_pkey(3) and SSL_set0_tmp_dh_pkey(3). There is no direct replacement for the "callback" functions. The callback was originally useful in order to have different parameters for export and non-export ciphersuites. Export ciphersuites are no longer supported by OpenSSL. Use of the callback functions should be replaced by one of the other methods described above.